Refine search

Reports

21 December 2022

Published

Transport and Infrastructure 2022

Transport

Asset valuation

Financial reporting

Information technology

Infrastructure

Management and administration

Procurement

What the report is about

Result of the Transport and Infrastructure cluster agencies' financial statement audits for the year ended 30 June 2022.

What we found

Unmodified audit opinions were issued for all Transport and Infrastructure cluster agencies' financial statements.

An 'other matter' paragraph was included in TAHE's Independent Auditor's Report for its 30 June 2022 financial statements which draws attention to Transport and Asset Holding Entity's (TAHE) reliance on government-funded customers.

We included an ‘emphasis of matter’ paragraph in the Independent Auditor’s Report for State Transit Authority of New South Wales’ (the authority) 30 June 2022 financial statements, which draws attention to the financial statements being prepared on a liquidation basis as the authority’s principal activities ceased operations on 3 April 2022.

What the key issues were

The 2021–22 audits identified five high-risk findings:

detailed business modelling to support returns from TAHE
valuation of assets at TAHE
control of assets at TAHE
accounting and valuation of tree assets at Centennial Park and Moore Park Trust and Parramatta Park Trust.

Access and licence fees - TAHE

Revised commercial agreements were signed between TAHE, the operators and Transport for NSW on 23 June 2022 to reflect increased access and licence fees detailed in the 18 December 2021 Heads of Agreement.

TAHE’s ability to generate the expected return of 2.5% based on the current modelling is heavily reliant on the government funding the public rail operators (TAHE's customers).

There are risks that:

TAHE will not be able to recontract for access and licence fees at a level that is consistent with current projections
future governments' funding to TAHE's key customers will not be sufficient to fund payment of access and licence fees at a level that is consistent with current projections
TAHE will be unable to grow its non-government revenues.

Valuation of assets - TAHE

Although TAHE's selected valuation of assets falls within an acceptable range, there remains a significant gap between what has been assessed as an acceptable range and TAHE's range.

What we recommended

Control of assets - TAHE

While we accepted TAHE’s position on control for the current year, NSW Treasury and TAHE should continue to monitor the risk that control of TAHE assets could change in future reporting periods. TAHE must continue to demonstrate control of its assets or the current accounting presentation would need to be reconsidered.

This report provides Parliament and other users of the Transport and Infrastructure cluster’s financial statements with the results of our audits, analysis, conclusions and recommendations in the following areas:

financial reporting
audit observations.

Financial reporting is an important element of good governance. Confidence and transparency in public sector decision-making are enhanced when financial reporting is accurate and timely.

This chapter outlines our audit observations related to the financial reporting of agencies in the Transport and Infrastructure cluster (the cluster) for 2022.

Section highlights

Unqualified audit opinions were issued on all Transport and Infrastructure cluster agencies' financial statements.
An 'Other Matter' paragraph was included in the Transport Asset Holding Entity of New South Wales' (TAHE) Independent Auditor's Report to draw attention to TAHE's reliance on government-funded customers.
An 'Emphasis of Matter' paragraph was included in the State Transit Authority of New South Wales' (the authority) Independent Auditor's Report to draw attention to management’s disclosures that State Transit Authority of New South Wales' financial statements for the year ended 30 June 2022 were prepared on a liquidation basis as the authority’s principal activities ceased operations on 3 April 2022.
While TAHE's valuation of assets at 30 June 2022 was within an acceptable range of valuation outcomes, there remained significant differences in assumptions used when compared with relevant market benchmarks.
Sydney Metro corrected two prior period errors of $1.5 billion and $51 million in accounting and valuation of assets, and double counting of assets capitalised in infrastructure as well as assets under construction respectively.

Appropriate financial controls help ensure the efficient and effective use of resources and administration of agency policies. They are essential for quality and timely decision-making.

This chapter outlines our observations and insights from our financial statement audits of agencies in the cluster.

Section highlights

The number of findings reported to management decreased from 87 in 2020–21 to 59 in 2021–22.
Repeat findings accounted for 54.2% of management letter points. Many repeat findings related to controls over payroll, including management of annual leave and processing of timesheets, management of conflicts of interests, weaknesses in controls over information technology user access administration and password management.
One new high-risk issue was identified in 2020–21, and four high-risk repeat issues remained.
The five high-risk issues arose from the audit in the cluster, with respect to:
- control over TAHE assets and operations (repeat)
- TAHE detailed business modelling to support returns (repeat)
- valuation of trees (repeat for Parramatta Park Trust and Centennial Park and Moore Park Trust)
- TAHE asset valuations.

Appendix one – Misstatements in financial statements submitted for audit

Appendix two – Early close procedures

Appendix three – Timeliness of financial reporting

Appendix four – Financial data

Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

13 December 2022

Published

Stronger Communities 2022

Justice

Community Services

Asset valuation

Compliance

Cyber security

Financial reporting

Information technology

Internal controls and governance

Management and administration

Procurement

Project management

Risk

What the report is about

Results of the Stronger Communities cluster agencies' financial statement audits for the year ended 30 June 2022.

What we found

Unqualified audit opinions were issued on all completed 30 June 2022 financial statement audits. One audit is ongoing.

All 13 cluster agencies that have accommodation arrangements with Property NSW derecognised right-of-use assets and lease liabilities of $917 million and $1 billion respectively. The agencies also collectively recorded a gain on derecognition of $136 million.

The Department of Communities and Justice (the department) assumed the responsibility for delivery of the Process and Technology Harmonisation program from the Department of Customer Service. In 2021–22, the department incurred costs of $42.8 million in relation to the project, which remains ongoing.

The number of monetary misstatements identified during the audits decreased from 50 in 2020–21 to 48 in 2021–22.

What the key issues were

Six of the 15 cluster agencies required to submit 2021–22 mandatory early close procedures did not meet the statutory deadlines. One agency did not complete all mandatory procedures.

Five high-risk findings were identified in 2021–22. They related to deficiencies in:

user access administration at the department, NSW Rural Fire Service and New South Wales Aboriginal Land Council (NSWALC)
segregation of duties at the NSW Trustee and Guardian and NSWALC.

Recommendations were made to those agencies to address these control deficiencies.

This report provides Parliament and other users of the Stronger Communities cluster’s financial statements with the results of our audits, analysis, conclusions and recommendations in the following areas:

financial reporting
audit observations.

Financial reporting is an important element of good governance. Confidence and transparency in public sector decision making are enhanced when financial reporting is accurate and timely.

This chapter outlines our audit observations related to the financial reporting of agencies in the Stronger Communities cluster (the cluster) for 2022.

Section highlights

Unqualified audit opinions were issued on all completed 30 June 2022 financial statement audits of cluster agencies, including the acquittal and compliance audits for the Legal Aid Commission of New South Wales and Crown Solicitor's Office. One audit is ongoing.
Reported corrected misstatements decreased from 30 in 2020–21 to 23 with a gross value of $187 million in 2021–22 ($101 million in 2020–21). Reported uncorrected misstatements increased from 20 in 2020–21 to 25 with a gross value of $92.3 million in 2021–22 ($107 million in 2020–21).
Six of the 15 cluster agencies required to submit 2021–22 early close financial statements and all other mandatory procedures did not meet the statutory deadlines. One agency did not complete all mandatory procedures.
All 13 cluster agencies that have accommodation arrangements with Property NSW accepted the changes in the Client Acceptance Letters, resulting in the derecognition of right-of-use assets and lease liabilities of $917 million and $1 billion respectively. The agencies also collectively recorded a gain on derecognition of $136 million.
The Department of Communities and Justice (the department) assumed the responsibility to deliver the Process and Technology Harmonisation program from the Department of Customer Service. In 2021–22, the department incurred costs of $42.8 million in relation to the project.
In 2021–22, the department continued to implement the International Financial Reporting Standards Interpretations Committee's agenda decision on 'Configuration or customisation costs in a cloud computing arrangement'. The department's review of the remaining arrangements, with a net book value of $233 million at 30 June 2021, resulted in the recognition as an expense (through accumulated funds at 1 July 2020) of previously capitalised intangible assets totalling $106 million.

Appropriate financial controls help ensure the efficient and effective use of resources and administration of agency policies. They are essential for quality and timely decision making.

This chapter outlines our observations and insights from our financial statement audits of agencies in the Stronger Communities cluster.

Section highlights

The number of issues reported to management has decreased from 130 in 2020–21, to 110 in 2021–22, and 43% were repeat issues (51% in 2020–21). Many repeat issues related to information technology, governance and oversight controls, and non-compliance with key legislation and/or agency policies.
Five high-risk issues were identified in 2021–22, all of which are repeat issues and related to user access administration and segregation of duties.
Of the 24 newly identified moderate risk issues, 11 related to information technology. The rest related to governance and oversight controls and internal control deficiencies or improvements in payroll, asset management and other processes.

Appendix one – Misstatements in financial statements submitted for audit

Appendix two – Early close procedures

Appendix three – Timeliness of financial reporting

Appendix four – Financial data

Copyright notice

7 December 2022

Published

Health 2022

Health

Whole of Government

Asset valuation

Compliance

Cyber security

Financial reporting

Information technology

Infrastructure

Internal controls and governance

Management and administration

Procurement

Risk

Service delivery

Shared services and collaboration

Workforce and capability

What the report is about

Result of Health cluster (the cluster) agencies' financial statement audits for the year ended 30 June 2022.

What we found

Unmodified audit opinions were issued for the financial statements for all Health cluster agencies.

The COVID-19 pandemic continued to increase the complexity and number of accounting matters faced by the cluster. The total gross value of corrected misstatements in 2021–22 was $353.3 million, of which $186.7 million related to an increase in the impairment provision for Rapid Antigen Tests (RATs).

A qualified audit opinion was issued on the Annual Prudential Compliance Statement related to five residential aged care facilities. There were 20 instances (19 in 2020–21) of non-compliance with the prudential responsibilities within the Aged Care Act 1997.

What the key issues were

The total number of matters we reported to management across the cluster decreased from 116 in 2020–21 to 67 in 2021–22. Of the 67 issues raised, four were high risk (three in 2020-21) and 37 were moderate risk (57 in 2020–21). Nearly half of all control deficiencies reported in 2021–22 were repeat issues.

Three unresolved high-risk issues were:

COVID-19 inventories impairment – we continued to identify issues relating to management’s impairment model which relies on anticipated future consumption patterns. RATs had not been assessed for impairment.
Asset capitalisation threshold – management has not reviewed the appropriateness of the asset capitalisation threshold since 2006.
Forced-finalisation of HealthRoster time records – we continued to observe unapproved rosters being finalised by system administrators so payroll can be processed on time. 2.6 million time records were processed in this way in 2021–22.

What we recommended

COVID-19 inventories impairment – ensure consumption patterns are supported by relevant data and plans.
Assets capitalisation threshold – undertake further review of the appropriateness of applying a $10,000 threshold before capitalising expenditure on property, plant and equipment.
Forced-finalisation of HealthRoster time records – develop a methodology to quantify the potential monetary value of unapproved rosters being finalised.

This report provides Parliament and other users of Health cluster (the cluster) agencies' financial statements with the results of our audits, analysis, conclusions and recommendations in the following areas:

financial reporting
audit observations.

Financial reporting is an important element of good governance. Confidence and transparency in public sector decision-making are enhanced when financial reporting is accurate and timely.

This chapter outlines our audit observations related to the financial reporting of agencies in the Health cluster (the cluster) for 2022.

Section highlights

Unqualified audit opinions were issued for all cluster agencies required to prepare general purpose financial statements.
The total gross value of corrected monetary misstatements for 2021–22 was $353.3 million, of which, $186.7 million related to an increase in the impairment provision for Rapid Antigen Tests.
A qualified audit opinion was issued on the ministry's Annual Prudential Compliance Statements.

Appropriate financial controls help ensure the efficient and effective use of resources and administration of agency policies. They are essential for quality and timely decision-making.

This chapter outlines our observations and insights from our financial statement audits of agencies in the cluster.

Section highlights

The total number of internal control deficiencies has decreased from 116 in 2020–21 to 67 in 2021–22. Of the 67 issues raised in 2021–22, four were high (2020–21: 3) and 37 were moderate (2020–21: 57); with nearly half of all control deficiencies reported in 2021–22 being repeat issues.
The following four issues were reported in 2021–22 as high risk:
- impairment of COVID-19 inventories
- inadequate review over the appropriateness of asset capitalisation threshold
- forced-finalisation of HealthRoster time records
- COVID-19 vaccination inventories – data quality issue at 31 March 2022.
Management of excessive leave balances and poor quality or lack of documentation supporting key agreements continued to be the key repeat issues observed in the 2021–22 financial reporting period.

Appendix one – Misstatements in financial statements submitted for audit

Appendix two – Early close procedures

Appendix three – Timeliness of financial reporting

Appendix four – Financial data

Copyright notice

6 December 2022

Published

Education 2022

Education

Asset valuation

Compliance

Cyber security

Financial reporting

Information technology

Internal controls and governance

Procurement

Risk

What the report is about

Result of the Education cluster financial statement audits for the year ended 30 June 2022.

What we found

Unmodified audit opinions were issued for Education cluster agencies.

An 'other matter' paragraph was included in the TAFE Commission's independent auditor's report as it did not have a delegation or sub-delegation from the Minister for Education and Early Learning to incur expenditure from cluster grants.

What the key issues were

Annual fair value assessments of land and buildings showed material differences in their carrying values. As a result, the Department of Education and the TAFE Commission completed desktop revaluations of land and buildings, collectively increasing the value of these assets by $1.2 billion and $4.7 billion respectively.

The Department of Education and the NSW Education Standards Authority accepted changes to their office leasing arrangements managed by Property NSW. These changes resulted in the collective derecognition of $270.6 million of right-of-use assets and $382.9 million in lease liabilities.

What we recommended

A high-risk matter was reported in the management letter for the TAFE Commission highlighting non-compliance with policies and procedures guiding appropriate use of purchasing cards.

We recommended cluster agencies prioritise and address internal control deficiencies.

This report provides Parliament and other users of the Education cluster’s financial statements with the results of our audits, analysis, conclusions and recommendations in the following areas:

financial reporting
audit observations.

Financial reporting is an important element of good governance. Confidence and transparency in public sector decision-making are enhanced when financial reporting is accurate and timely.

This chapter outlines our audit observations related to the financial reporting of agencies in the Education cluster (the cluster) for 2022.

Section highlights

Unqualified audit opinions were issued on the financial statements of cluster agencies.
An 'other matter' paragraph was included in the independent auditor's report for the Technical and Further Education Commission (TAFE Commission) as they did not have a delegation or sub-delegation from the Minister for Education and Early Learning to incur expenditure from cluster grants.
The Department of Education and the TAFE Commission's land and buildings were revalued upwards by a collective $5.9 billion. These uplifts were the result of managerial fair value assessments showing that the carrying values of land and buildings had materially departed from fair value.
Changes to accommodation arrangements managed by Property NSW on behalf of the department and the NSW Education Standards Authority resulted in the collective derecognition of approximately $270.6 million in right-of-use assets and corresponding lease liabilities totalling $382.9 million from the balance sheets of these agencies.

Appropriate financial controls help ensure the efficient and effective use of resources and administration of agency policies. They are essential for quality and timely decision-making.

This chapter outlines our observations and insights from our financial statement audits of agencies in the Education cluster.

Section highlights

The 2021–22 audits identified 18 moderate issues across the cluster. Seven moderate risk issues were repeat issues related to general and application information technology controls and control deficiencies in key transactional systems used in preparing financial statements.
Of the 11 newly identified moderate risk issues, five related to information technology controls deficiencies; and five related to internal control deficiencies in key transactional systems used in preparing financial statements.
A high-risk matter was raised at the TAFE Commission relating to identified instances of non-compliance with policies and procedures guiding purchasing card use.

The number of findings reported to management has increased, and 31% were repeat issues

Breakdowns and weaknesses in internal controls increase the risk of fraud and error. Deficiencies in internal controls, matters of governance interest and unresolved issues were reported to management and those charged with governance of agencies. The Audit Office does this through management letters, which include observations, related implications, recommendations and risk ratings.

In 2021–22, there were 29 findings raised across the cluster (28 in 2020–21). Thirty-one per cent of all issues were repeat issues (50% in 2020–21).

The most common new and repeat issues related to internal control deficiencies in agencies’ information technology general controls, application controls, and procurement and payroll practices.

A delay in implementing audit recommendations increases the risk of intentional and accidental errors in processing information, producing management reports and generating financial statements. This can impair decision-making, affect service delivery and expose agencies to fraud, financial loss and reputational damage. Poor controls may also mean agency staff are less likely to follow internal policies, inadvertently causing the agency not to comply with legislation, regulation and central agency policies.

A high-risk matter was reported at the TAFE Commission highlighting instances of non-compliance with policies and procedures guiding appropriate purchasing card use

As part of our audit of the TAFE Commission, we integrated the use of data analytics into the audit approach. We performed data analytics over aspects of payroll, procurement and accounts payable activities. This helped us to highlight anomalies or risks in those data sets that are relevant to the audit of the TAFE Commission and plan testing procedures to address those risks. Data analytics also assisted us in providing an insight into the internal control environment of the TAFE Commission, highlighting areas where key controls are not in place or are not operating as management intended.

Our analysis over purchasing card data supplied by the TAFE Commission for the period July 2021 to March 2022 found deficiencies in the provisioning, use and cancellation of purchasing cards. This included identified instances of:

controls effectively bypassed when a purchasing card surrendered by a former employee had been used by another employee
split payments, circumventing delegation / cardholder limits
delays in the submission and approval of purchasing card transactions.

The table below describes the common issues identified across the cluster by category and risk rating:

Risk rating

Issue

Information technology

High: 0 new, 0 repeat ¹

Moderate: 5 new, 3 repeat ²

Low: 2 new, 1 repeat ³

The financial audits identified areas for agencies to improve information technology processes and controls that support the integrity of financial data used to prepare agencies' financial statements. Of note were deficiencies identified in:

agencies' user access administration and change management procedures, notably in the timing and frequency of managerial reviews over the granting and revocation of access to key systems relevant to financial reporting
the level of cyber security maturity
the monitoring of privileged user activities.

Internal control deficiencies or improvements

High: 1 new, 0 repeat ¹

Moderate: 5 new, 3 repeat ²

Low: 4 new, 1 repeat ³

The financial audits identified internal control weaknesses across key business processes relevant to financial reporting. Of note were deficiencies identified in:

the adequacy of monitoring and oversight activities over the use of multiple financial delegation configurations in finance systems for specific users
the timely recording and approval of overtime claims and higher duties allowances
the timely finalisation of policies and procedures
the management of excessive annual leave balances
formalisation of service-provider arrangements between government agencies
non-compliance with policies and procedures to guide secondary employment and pecuniary interest declarations
non-compliance with policies and procedures to guide the appropriate use of purchasing cards.

Financial reporting

High: 0 new, 0 repeat ¹

Moderate: 1 new, 1 repeat ²

Low: 2 new, 0 repeat ³

The financial audits identified:

opportunities for agencies to strengthen their financial preparation processes to facilitate a timelier and more efficient year-end audit
matters in respect of the timely capitalisation of work-in-progress
the need for agencies with non-financial assets subject to fair value to reconsider policy settings governing the frequency of revaluations
refinements in considering the outcomes of interim fair value assessments to ensure asset carrying values reflect fair value at each balance date.

¹ High risk from the consequence and/or likelihood of an event that has had, or may have a negative impact on the entity.
² Moderate risk from the consequence and/or likelihood of an event that has had, or may have a negative impact on the entity.
³ Low risk from the consequence and/or likelihood of an event that has had, or may have a negative impact on the entity.

Note: Management letter findings are based either on final management letters issued to agencies, or draft letters where findings have been agreed with management.

Recommendation

We recommend cluster agencies prioritise and action recommendations to address the internal control deficiencies outlined above.

Appendix one – Early close procedures

30 June 2022

Published

Audit Insights 2018-2022

Community Services

Education

Environment

Finance

Health

Industry

Justice

Local Government

Premier and Cabinet

Planning

Transport

Treasury

Universities

Whole of Government

Asset valuation

Cross-agency collaboration

Compliance

Cyber security

Financial reporting

Fraud

Information technology

Infrastructure

Internal controls and governance

Management and administration

Procurement

Project management

Regulation

Risk

Service delivery

Shared services and collaboration

Workforce and capability

What the report is about

In this report, we have analysed the key findings and recommendations from our audit reports over the past four years.

This analysis includes financial audits, performance audits, and compliance audits of state and local government entities that were tabled in NSW Parliament between July 2018 and February 2022.

The report is framed by recognition that the past four years have seen significant challenges and emergency events.

The scale of government responses to these events has been wide-ranging, involving emergency response coordination, service delivery, governance and policy.

The report is a resource to support public sector agencies and local government to improve future programs and activities.

What we found

Our analysis of findings and recommendations is structured around six key themes:

Integrity and transparency
Performance and monitoring
Governance and oversight
Cyber security and data
System planning for disruption
Resource management.

The report draws from this analysis to present recommendations for elements of good practice that government agencies should consider in relation to these themes. It also includes relevant examples from recent audit reports.

In this report we particularly call out threats to the integrity of government systems, processes and governance arrangements.

The report highlights the need for balanced advice to government on options and risks, for transparent documentation and reporting of directions and decisions, and for early and open sharing of information with integrity bodies and audit.

A number of the matters highlighted in this report are similar to those described in our previous Insights Report, (Performance Audit Insights: key findings from 2014–2018) specifically in relation to cyber and information security, to performance measurement, reporting and evaluation, and system and workforce planning and capability.

Fast facts

72 audits included in the Audit Insights 2018–2022 analysis
4 years of audits tabled by the Auditor-General for New South Wales
6 key themes for Audit Insights 2018–2022.

picture of Margaret Crawford Auditor-General for New South Wales in black dress with city skyline as background I am pleased to present the Audit Insights 2018–2022 report. This report describes key findings, trends and lessons learned from the last four years of audit. It seeks to inform the New South Wales Parliament of key risks identified and to provide insights and suggestions to the agencies we audit to improve performance across the public sector.

The report is framed by a very clear recognition that governments have been responding to significant events, in number, character and scale, over recent years. Further, it acknowledges that public servants at both state and council levels generally bring their best selves to work and diligently strive to deliver great outcomes for citizens and communities. The role of audit in this context is to provide necessary assurance over government spending, programs and services, and make suggestions for continuous improvement.

However, in this report we particularly call out threats to the integrity of government systems, processes and governance arrangements. We highlight the need for balanced advice to government on options and risks, for transparent documentation and reporting of directions and decisions, and for early and open sharing of information with integrity bodies and audit. Arguably, these considerations are never more important than in an increasingly complex environment and in the face of significant emergency events and they will be key areas of focus in our future audit program.

While we have acknowledged the challenges of the last few years have required rapid responses to address the short-term impacts of emergency events, there is much to be learned to improve future programs. I trust that the insights developed in this report provide a helpful resource to public sector agencies and local government across New South Wales. I would be pleased to receive any feedback you may wish to offer.

Margaret Crawford
Auditor-General for New South Wales

Integrity and transparency	Performance and monitoring	Governance and oversight	Cyber security and data	System planning	Resource management
Insufficient documentation of decisions reduces the ability to identify, or rule out, misconduct or corruption.	Failure to apply lessons learned risks mistakes being repeated and undermines future decisions on the use of public funds.	The control environment should be risk-based and keep pace with changes in the quantum and diversity of agency work.	Building effective cyber resilience requires leadership and committed executive management, along with dedicated resourcing to build improvements in cyber security and culture.	Priorities to meet forecast demand should incorporate regular assessment of need and any emerging risks or trends. Absence of an overarching strategy to guide decision-making results in project-by-project decisions lacking coordination.	Governments must weigh up the cost of reliance on consultants at the expense of internal capability, and actively manage contracts and conflicts of interest.
Government entities should report to the public at both system and project level for transparency and accountability.	Government activities benefit from a clear statement of objectives and associated performance measures to support systematic monitoring and reporting on outcomes and impact.	Management of risk should include mechanisms to escalate risks, and action plans to mitigate risks with effective controls.	In implementing strategies to mitigate cyber risk, agencies must set target cyber maturity levels, and document their acceptance of cyber risks consistent with their risk appetite.	Service planning should establish future service offerings and service levels relative to current capacity, address risks to avoid or mitigate disruption of business and service delivery, and coordinate across other relevant plans and stakeholders.	Negotiations on outsourced services and major transactions must maintain focus on integrity and seeking value for public funds.
Entities must provide balanced advice to decision-makers on the benefits and risks of investments.	Benefits realisation should identify responsibility for benefits management, set baselines and targets for benefits, review during delivery, and evaluate costs and benefits post-delivery.	Active review of policies and procedures in line with current business activities supports more effective risk management.	Governments hold repositories of valuable data and data capabilities that should be leveraged and shared across government and non-government entities to improve strategic planning and forecasting.	Formal structures and systems to facilitate coordination between agencies is critical to more efficient allocation of resources and to facilitate a timely response to unexpected events.	Transformation programs can be improved by resourcing a program management office.
Clear guidelines and transparency of decisions are critical in distributing grant funding.	Quality assurance should underpin key inputs that support performance monitoring and accounting judgements.	Governance arrangements can enable input into key decisions from both government and non-government partners, and those with direct experience of complex issues.			Workforce planning should consider service continuity and ensure that specialist and targeted roles can be resourced and allocated to meet community need.
Governments must ensure timely and complete provision of information to support governance, integrity and audit processes.
Read more	Read more	Read more	Read more	Read more	Read more

This report brings together a summary of key findings arising from NSW Audit Office reports tabled in the New South Wales Parliament between July 2018 and February 2022. This includes analysis of financial audits, performance audits, and compliance audits tabled over this period.

Financial audits provide an independent opinion on the financial statements of NSW Government entities, universities and councils and identify whether they comply with accounting standards, relevant laws, regulations, and government directions.
Performance audits determine whether government entities carry out their activities effectively, are doing so economically and efficiently, and in accordance with relevant laws. The activities examined by a performance audit may include a selected program or service, all or part of an entity, or more than one government entity. Performance audits can consider issues which affect the whole state and/or the local government sectors.
Compliance audits and other assurance reviews are audits that assess whether specific legislation, directions, and regulations have been adhered to.

This report follows our earlier edition titled 'Performance Audit Insights: key findings from 2014–2018'. That report sought to highlight issues and themes emerging from performance audit findings, and to share lessons common across government. In this report, we have analysed the key findings and recommendations from our reports over the past four years. The full list of reports is included in Appendix 1. The analysis included findings and recommendations from 58 performance audits, as well as selected financial and compliance reports tabled between July 2018 and February 2022. The number of recommendations and key findings made across different areas of activity and the top issues are summarised at Exhibit 1.

The past four years have seen unprecedented challenges and several emergency events, and the scale of government responses to these events has been wide-ranging involving emergency response coordination, service delivery, governance and policy. While these emergencies are having a significant impact today, they are also likely to continue to have an impact into the future. There is much to learn from the response to those events that will help the government sector to prepare for and respond to future disruption. The following chapters bring together our recommendations for core elements of good practice across a number of areas of government activity, along with relevant examples from recent audit reports.

This 'Audit Insights 2018–2022' report does not make comparative analysis of trends in public sector performance since our 2018 Insights report, but instead highlights areas where government continues to face challenges, as well as new issues that our audits have identified since our 2018 report. We will continue to use the findings of our Insights analysis to shape our future audit priorities, in line with our purpose to help Parliament hold government accountable for its use of public resources in New South Wales.

Appendix one – Included reports, 2018–2022

Appendix two – About this report

Copyright notice

21 November 2019

Published

Health 2019

Health

Asset valuation

Compliance

Financial reporting

Fraud

Information technology

Internal controls and governance

Management and administration

Procurement

Project management

This report focuses on key observations and findings from the most recent financial audits of the Ministry of Health, local health districts, specialty health networks, health corporations and independent health agencies in New South Wales. The report also summarises self-reported performance measures across the network.

The number and value of adjustments to financial statements of entities in the Health Cluster decreased from the prior year. And unqualified audit opinions were issued for all heath entities’ financial statements.

Audit findings relating to internal controls deficiencies increased across health entities. Contributing to this increase were deficiencies in information system controls, which accounted for nearly a quarter of all control deficiencies. Repeat audit findings also accounted for more than a quarter of all control deficiencies.

The report notes health entities continued to experience challenges with managing employees’ excessive annual leave and time recording practices. The Ambulance Service of New South Wales continued to report high overtime payments to its employees.

Download Health 2019 report (PDF).

This report analyses the results of our audits of financial statements of the agencies comprising the Health cluster for the year ended 30 June 2019. The table below summarises our key observations.

1. Machinery of Government changes

Cluster changes

Machinery of Government (MoG) changes refer to how the government reorganises agency structures and functions and realigns ministerial responsibilities. The Health cluster was not impacted by the MoG changes.

2. Financial reporting

Financial reporting	The financial statements of NSW Health and its controlled entities received unqualified audit opinions before the legislative deadline. The number of corrected and uncorrected misstatements decreased from the prior year. Management implemented more robust processes for its oversight of complex asset revaluations in 2018–19. We found no significant errors in 2018–19.
Financial performance	Overall, NSW Health recorded an operating surplus of $1.1 billion in 2018–19, an increase of $699 million from 2017–18. This was the result of additional funding received for capital expenditure on the construction of new facilities, upgrades and redevelopments. Budgeted expense for the 15 local health districts and two speciality networks increased from $18.3 billion to $19.4 billion in 2018–19. The 15 health entities recorded unfavourable variances between actual and budgeted expenses.
Excess annual leave	Managing excess annual leave remains a challenge for NSW Health, 36.9 per cent of the workforce have excess annual leave balances. Recommendation: Health entities should further review their approach to managing excess annual leave in 2019–20, and: monitor current and projected leave balances to the end of the financial year on a monthly basis agree formal leave plans with employees to reduce leave balances over an acceptable timeframe encourage staff who perform key control functions to take at least two consecutive weeks’ leave a year to mitigate fraud risks.
Overtime payments	NSW Health entities generally manage overtime well. The Ambulance Service of NSW’s overtime payments of $83.1 million (9.8 per cent of total salaries and wages), remain significantly higher than other health entities. Recommendation: The Ambulance Service of NSW should further review the effectiveness of its rostering practices to identify strategies to reduce overtime payments.

3. Audit observations

Internal control deficiencies	We identified more internal control deficiencies in 2018–19. The number of repeat issues from prior years also remains high with more than one quarter of issues having been previously reported. More than a quarter of deficiencies related to information system controls.
Infrastructure delivery	NSW Health defines projects with a budgeted cost greater than $50.0 million as 'major projects'. There were significant revisions to planned financial completion dates and budgeted costs of these projects. The revised total budgets for the 30 ongoing major capital projects at 30 June 2019 is $10.2 billion, $2.2 billion more than the original budget. Health Infrastructure completed three major capital projects during 2018–19.
Asset maintenance	The total cost of maintaining the health entities’ $19.8 billion of assets was $635 million for 2018–19. Health entities' approaches to setting maintenance budgets vary. Most entities are addressing their backlog maintenance, although many were not able to quantify the full extent of their backlog maintenance. Although health entities continue to use fully depreciated assets, the replacement cost of these assets is decreasing.

This report provides parliament and other users of the financial statements of agencies within the Health cluster with the results of our audits, our observations, analysis, conclusions and recommendations in the following areas for the year ended 30 June 2019:

financial reporting
audit observations.

The Health cluster was not impacted by the Machinery of Government changes on 1 July 2019.

Financial reporting is an important element of good governance. Confidence and transparency in public sector decision making are enhanced when financial reporting is accurate and timely.

This chapter outlines our audit observations related to the financial reporting of agencies in the health cluster for 2019.

Section highlights

We issued unqualified audit opinions for all health entities’ financial statements and identified fewer misstatement than last year. Health entities continue to meet statutory deadlines.
The Ministry of Health sets significant accounting policies centrally and provides a template for the preparation of health entities’ financial statements. These processes promote consistent quality in the financial reports of health entities and reduce the number of misstatements we identify.
NSW Health recorded an operating surplus of $1.1 billion, an increase of $699 million from 2017–18. This is because of additional capital grants for new facilities, upgrades and redevelopments. The capital replacement ratio (investment in new assets divided by depreciation) for NSW Health is 2.6.
NSW Health’s expenses increased by 7.0 per cent in 2018–19 (5.5 per cent in 2017–18). This is one percentage point higher than the projected long-term annual expense growth rate of six per cent. The primary causes for the growth in expenses are increased:
- employee related expenses because provisions for employee benefits increased when the discount rate decreased
- operating expenses associated with the opening of Northern Beaches Hospital.
Excess annual leave balances continue to increase for the NSW Health workforce, with excess annual leave balances impacting 37 per cent of employees (34 per cent in 2017–18).
Health entities should further review their approach to managing excess annual leave in 2019–20 by monitoring current and projected leave balances on a regular basis, agreeing formal leave plans with employees and encouraging staff that perform key control functions to take a minimum of two consecutive weeks’ leave a year as a fraud mitigation strategy.
The Ambulance Services continued to report overtime payments higher than other health entities. The Ambulance Service paid its employees $83.1 million in overtime payments in 2018–19 ($74.8 million in 2017–18).
We issued a qualified audit opinion for the Ministry of Health's Annual Prudential Compliance Statement for aged care facilities operated by NSW Health. We identified 40 instances of material non-compliance with the Fees and Payments Principles 2014 (No. 2) (the Principles) in 2018–19 (17 in 2017–18).

Audit opinions

We issued unqualified audit opinions for all health entities and quality of financial reporting continues to improve

We identified fewer misstatements this year, and the errors were less significant. In 2018–19 no errors exceeded $5.0 million (eight errors recorded in 2017–18). Ten health entities conducted a full revaluation of their land, buildings and infrastructure systems in 2018–19, but more robust processes avoided the errors identified in the previous year.

Number of misstatements
Year ended 30 June	2019		2018		2017

Less than $50,000	--	--	--	6	3	3
$50,000 to $249,999	--	1	--	--	2	3
$250,000 to $999,999	1	--	--	--	1	3
$1 million to $4,999,999	--	2	--	2	1	5
$5 million and greater	--	--	6	2	1	2
Total number of misstatements	1	3	6	10	8	16

Corrected mistatements. red circle white exclamation mark

Uncorrected statements.

Source: Statutory Audit Reports issued by the Audit Office.

We issued a qualified audit opinion for our compliance audit of the Ministry of Health's Annual Prudential Compliance Statement

The Ministry of Health operates eight aged care facilities in NSW and is required to comply with the Fees and Payments Principles 2014 (No. 2) (the Principles) when entering into agreements with and managing payments to and from care recipients. The Principles are set by the Commonwealth Assistant Minister for Social Services. We identified 40 instances of material non-compliance in 2018–19, including:

not agreeing maximum accommodation amounts payable with aged care recipients before they entered the residential care services
not entering into accommodation agreements with care recipients within the specified period
charging incorrect fees for activities or services to one care recipient
not refunding two bond balances within the statutory framework
not paying the correct amount of interest for 14 care recipients’ bonds refunded during the year.

Appropriate financial controls help ensure the efficient and effective use of resources and administration of agency policies. They are essential for quality and timely decision making.

This chapter outlines our observations and insights from our financial statement audits of agencies in the health cluster.

Section highlights

The number of internal control deficiencies has increased since 2017–18. More than a quarter of control deficiencies are repeat issues and almost a quarter relate to information system controls. Both employee time recording and leave management remain as repeat issues in 2018–19.
Control deficiencies that relate to managing employees' leave, employees’ time recording or information system limitations can be difficult for entities to resolve in a timely manner.
Agreements for the treatment of New South Wales residents while they are interstate, and interstate residents while they are in New South Wales, are unsigned for Queensland, Victoria and the Australian Capital Territory for 2016–17, 2017–18 and 2018–19.
NSW Health recorded $113.6 million in revenue from fees charged to Medicare ineligible patients during 2018–19 but has received payment for less than half of this.
NSW Health reported that they completed three major capital projects during 2018–19.
As at 30 June 2019 there were 30 ongoing major capital health projects in NSW. The revised capital budget for these projects in total was $2.2 billion more than the original budget of $8.0 billion.
Health entities spent $635 million maintaining assets with a fair value of $19.8 billion of assets. Almost all entities were working through backlog maintenance during 2018–19, although several were unable to quantify the backlog.
While entities are now regularly reassessing the useful lives of their assets, entities are still using a high volume of assets that are fully depreciated. Due to the age and nature of these assets the impact was not material.

Appendix one – List of 2019 recommendations

Appendix two – Status of 2018 recommendations

Appendix three – Financial data

Appendix four – Analysis of financial indicators

Appendix five – Analysis of performance against budget

5 November 2019

Published

Internal Controls and Governance 2019

Education

Community Services

Finance

Health

Industry

Justice

Planning

Premier and Cabinet

Transport

Treasury

Whole of Government

Compliance

Cyber security

Fraud

Information technology

Internal controls and governance

Management and administration

Procurement

Project management

This report covers the findings and recommendations from the 2018–19 financial audits that relate to internal controls and governance at 40 of the largest agencies in the NSW public sector. The 40 agencies selected for this report constitute around 84 per cent of total expenditure for all NSW public sector agencies.

The report provides insights into the effectiveness of controls and governance processes across the NSW public sector. It evaluates how agencies identify, mitigate and manage risks related to:

financial controls
information technology controls
gifts and benefits
internal audit
contingent labour
sensitive data.

The Auditor-General recommended that agencies do more to prioritise and address vulnerabilities in their internal controls and governance. The Auditor-General also recommended agencies increase the transparency of their management of gifts and benefits by publishing their registers on their websites.

This report analyses the internal controls and governance of 40 of the largest agencies in the NSW public sector for the year ended 30 June 2019.

1. Internal control trends

New, repeat and high risk findings

There was an increase in internal control deficiencies of 12 per cent compared to last year. The increase is predominately due to a 100 per cent increase in repeat financial and IT control deficiencies.

Agencies need to ensure they are actively managing the risks associated with having these vulnerabilities in internal control systems unaddressed for extended periods of time.

Common findings

A number of findings were common to multiple agencies. These findings often related to areas that are fundamental to good internal control environments and effective organisational governance, such as:

out of date policies or an absence of policies to guide appropriate decisions
poor record keeping and document retention
incomplete or inaccurate centralised registers or gaps in these registers
policies, procedures or controls no longer suited to the current organisational structure or business activities.

2. Information technology controls

IT general controls

We examined information security controls over key financial systems that support the preparation of agency financial statements. We found:

user access administration deficiencies at 58 per cent of agencies related to granting, review and removal of user access
an absence of privileged user activity reviews at 35 per cent of agencies
password controls that did not align to password policies at 20 per cent of agencies.

We also found 20 per cent of agencies had deficient IT program change controls, mainly related to segregation of duties in approval and authorisation processes, and user acceptance testing of program changes prior to deployment into production environments. User acceptance testing helps identify potential issues with software incompatibility, operational workflows, absent controls and software issues, as well as areas where training or user support may be required.

3. Gifts and benefits

Gifts and benefits registers

All agencies had a gifts and benefits policy and 90 per cent of agencies maintain a gifts and benefits register. However, 51 per cent of the gifts and benefits registers we examined contained incomplete declarations, such as missing details for the approving officer, value of the gift and/or benefit offered and reasons supporting the decision.

In some cases, gaps in recorded information meant the basis for decisions around gifts and benefits was not always clear, making it difficult to determine whether decisions in those instances were appropriate, compliant with policy and were not direct or indirect inducements to the recipients to favour suppliers or service providers.

Agencies should ensure their gifts and benefits register includes all key fields specified in the Public Service Commission's minimum standards for gifts and benefits. Agencies should also perform regular reviews of the register to ensure completeness and ensure any gift or benefit accepted by a staff member meets the public's expectations for ethical behaviour.

Managing gifts and benefits

We found opportunities to improve gifts and benefits processes and enhance transparency. For example, only three per cent of agencies publish their gifts and benefits registers on their websites.

Agencies can improve management of gifts and benefits by:

ensuring agency policies comprehensively cover the elements necessary to make it effective in an operational environment, such as identifying risks specific to the agency and actions that will be taken in the event of a policy breach
establishing and publishing a statement of business ethics on the agency's website to clearly communicate expected behaviours to clients, customers, suppliers and contractors
providing on-going training, awareness activities and support to employees, not just at induction
publishing their gifts and benefits registers on their websites to demonstrate a commitment to a transparently ethical environment.

Reporting and monitoring

Only 35 per cent of agencies reported trends in the number and nature of gifts and benefits recorded in their registers to the agency's senior executive management and/or a governance committee.

Agencies should regularly report to the agency executive or other governance committee on trends in the offer and acceptance of gifts and benefits.

4. Internal audit

Obtaining value from the internal audit function

Agencies have established and maintained internal audit functions to provide assurance on the effectiveness of agency controls and governance systems. However, we identified areas where agencies' internal audit functions could improve their processes to add greater value. For example, only 73 per cent of CAEs regularly attend meetings of the agency board or executive management committee.

Internal audit functions can add greater value by involving the CAE more extensively in executive forums as an observer.

Internal audit functions should also consider producing an annual report on internal audit. An annual report allows the internal audit function to report on their performance and add value by drawing to the attention of audit and risk committees and senior management strategic issues, thematic trends and emerging risks.

Role of the Chief Audit Executive

Forty-five per cent of agencies assigned responsibilities to the Chief Audit Executive (CAE) that were broader than internal audit, but 17 per cent of these had not documented safeguards to protect the independence of the CAE.

The reporting lines and status of the CAE at some agencies also needs review. At two agencies, the CAE reported to the CFO.

Agencies should ensure:

the reporting lines for the CAE comply with the NSW Treasury policy, and the CAE does not report functionally or administratively to the finance function or other significant recipients of internal audit services
the CAE's duties are compatible with preserving their independence and where threats to independence exist, safeguards are documented and approved.

Quality assurance and improvement program

Thirty-five per cent of agencies did not have a documented quality assurance and improvement program for its internal audit function.

The policy and the International Standards for the Professional Practice of Internal Auditing require agencies to have a documented quality assurance and improvement program. The results of this program should be reported annually.

Agencies should ensure there is a documented and operational Quality Assurance and Improvement Program for the internal audit function that covers both internal and external assessments.

5. Managing contingent labour

Obtaining value for money from contingent labour

According to NSW Procurement data, spend on contingent labour has increased by 75 per cent over the last five years, to $1.5 billion in 2018–19. Improvements in internal processes and a renewed focus on agency monitoring and oversight of contingent labour can help ensure agencies get the best value for money from their contingent workforces.

Agencies can improve their management of contingent labour by:

preparing workforce plans to inform their resourcing strategy and ensure that engaging contingent labour aligns with the strategy and best meets business needs
involving agency human resources units in decisions about engaging contingent labour
regularly reporting on contingent labour use and tenure to agency executive teams
strengthening on-boarding and off-boarding processes.

We also found 57 per cent of the 23 agencies we examined with contingent labour spend of more than $5 million in 2018–19 have implemented the government's vendor management system and service provider 'Contractor Central'.

6. Managing sensitive data

Identifying and assessing sensitive data

Sixty-eight per cent of agencies maintain an inventory of their sensitive data and where it resides. However, these inventories are not always complete and risks may be overlooked.

Agencies can improve processes to manage sensitive data by:

identifying and maintaining an inventory of sensitive data through a comprehensive and structured process
assessing the criticality and sensitivity of the data so that protection of high risk data can be prioritised.

Managing data breaches

Eighty-eight per cent of agencies have established policies to respond to potential data breaches when they are identified and 70 per cent of agencies maintain a register to record key information in relation to identified data breach incidents.

Agencies should maintain a data breach register to effectively manage the actions undertaken to contain, evaluate and remediate each data breach.

This report covers the findings and recommendations from our 2018–19 financial audits that relate to internal controls and governance at 40 of the largest agencies (refer to Appendix three) in the NSW public sector. The 40 agencies selected for this volume constitute around 84 per cent of total expenditure for all NSW public sector agencies.

Although the report includes several agencies that have changed as a result of the Machinery of Government changes that were effective from 1 July 2019, its focus on sector wide issues and insights means that its findings remain relevant to NSW public sector agencies, including newly formed agencies that have assumed the functions of abolished agencies.

This report offers insights into internal controls and governance in the NSW public sector

This is the third report dedicated to internal controls and governance at NSW State Government agencies. The report provides insights into the effectiveness of controls and governance processes in the NSW public sector by:

highlighting the potential risks posed by weaknesses in controls and governance processes
helping agencies benchmark the adequacy of their processes against their peers
focusing on new and emerging risks, and the internal controls and governance processes that might address those risks.

Without strong governance systems and internal controls, agencies increase the risks associated with effectively managing their finances and delivering services to citizens. For example, if they do not have strong information technology controls, sensitive information may be at risk of unauthorised access and misuse.

Areas of specific focus of the report have changed since last year

Last year's report topics included transparency and performance reporting, management of purchasing cards and taxi use, and fraud and corruption control. We are reporting on new topics this year and re-visiting agency management of gifts and benefits, which we first covered in our 2017 report. Re-visiting topics from prior years provides a baseline to show the NSW public sectors’ progress implementing appropriate internal controls and governance processes to mitigate existing, new and emerging risks in the public sector.

Our audits do not review all aspects of internal controls and governance every year. We select a range of measures and report on those that present heightened risks for agencies to mitigate. This year the report focusses on:

internal control trends
information technology controls, including access to agency systems
protecting sensitive information held within agencies
managing large and diverse workforces (controls around employing and managing contingent workers)
maintaining an ethical culture (management of gifts and benefits)
effectiveness of internal audit function and its oversight by Audit and Risk Committees.

The findings in this report should not be used to draw conclusions on the effectiveness of individual agency control environments and governance arrangements. Specific financial reporting, internal controls and audit observations are included in the individual 2019 cluster financial audit reports, which will be tabled in parliament from November to December 2019.

Internal controls are processes, policies and procedures that help agencies to:

operate effectively and efficiently
produce reliable financial reports
comply with laws and regulations
support ethical government.

This chapter outlines the overall trends for agency controls and governance issues, including the number of audit findings, the degree of risk those deficiencies pose to the agency, and a summary of the most common deficiencies we found across agencies. The rest of this report presents this year’s controls and governance findings in more detail.

Key conclusions and sector wide learnings

We identified four high risk findings, compared to six last year. None of the findings are common with those in the previous year. There was an overall increase of 12 per cent in the number of internal control deficiencies compared to last year. The increase is predominately due to a 100 per cent increase in the number of repeat financial and IT control deficiencies.

Some agencies attributed the delay in actioning repeat findings to the diversion of staff from their regular activities to implement and operationalise the recent Machinery of Government changes. As a result, actions to address audit recommendations have been deferred or re-prioritised, as the changes are implemented. Agencies need to ensure they are actively managing the risks associated with having these vulnerabilities in internal control systems unaddressed for extended periods of time.

We also identified a number of findings that were common to multiple agencies. These common findings often related to areas that are fundamental to good internal control environments and effective organisational governance. Examples include:

out of date policies or an absence of policies to guide appropriate decisions
poor record keeping and document retention
incomplete or inaccurate centralised registers or gaps in these registers.

Policies, procedures and internal controls should be properly designed, be appropriate for the current organisational structure and its business activities, and work effectively.

This chapter outlines our audit observations, conclusions and recommendations, arising from our review of agency controls to manage key financial systems.

Key conclusions and sector wide learnings

Government agencies’ financial reporting is heavily reliant on information technology (IT). We continue to see a high number of deficiencies related to IT general controls, particularly those related to user access administration. These controls are key in adequately protecting IT systems from inappropriate access and misuse.

IT is also important to the delivery of agency services. These systems often provide the data to help monitor the efficiency and effectiveness of agency processes and services they deliver. Our financial audits do not review all agency IT systems. For example, IT systems used to support agency service delivery are generally outside the scope of our financial audit. However, agencies should also consider the relevance of our findings to these systems.

Agencies need to continue to focus on assessing the risks of inappropriate access and misuse and the implementation of controls to adequately protect their systems, focussing on the processes in place to grant, remove and monitor user access, particularly privileged user access.

This chapter outlines our audit observations, conclusions and recommendations, arising from our review of agency controls to manage gifts and benefits.

Key conclusions and sector wide learnings

We found most agencies have implemented the Public Service Commission's minimum standards for gifts and benefits. All agencies had a gifts and benefits policy and 90 per cent of agencies maintained a gifts and benefits register and provided some form of training to employees on the treatment of gifts and benefits.

Based on our analysis of agency registers, we found some areas where opportunities existed to make processes more effective. In some cases, gaps in recorded information meant the basis for decisions around gifts and benefits was not always clear, making it difficult to determine whether decisions in those instances were appropriate and compliant with policy. Fifty-one per cent of the gifts and benefits registers reviewed contained declarations where not all fields of information had been completed. Seventy-seven per cent of agencies that maintained a gifts and benefits register did not include all key fields suggested by the minimum standards.

Areas where agencies can improve their management of gifts and benefits include:

ensuring agency policies comprehensively cover the elements necessary to make it effective in an operational environment, such as identifying risks specific to the agency and actions that will be taken in the event of a policy breach
establishing and publishing a statement of business ethics on the agency's website to clearly communicate expected behaviours to clients, customers,suppliers and contractors
updating gifts and benefits registers to include all key fields suggested by the minimum standards, as well as performing regular reviews of the register to ensure completeness
providing on-going training, awareness activities and support to employees, not just at induction
regularly reporting gifts and benefits to executive management and/or a governance committee such as the audit and risk committee, focussing on trends in the number and types of gifts and benefits offered to and accepted by agency staff
publishing their gifts and benefits registers on their websites to demonstrate a commitment to a transparently ethical environment.

This chapter outlines our audit observations, conclusions and recommendations, arising from our review of agency internal audit functions.

Key conclusions and sector wide learnings

We found agencies have established and maintained internal audit functions to provide assurance on the effectiveness of agency controls and governance systems as required by TPP15-03 'Internal Audit and Risk Management Policy for the NSW Public Sector'. However, we identified areas where agencies' internal audit functions could improve their processes to add greater value, including:

documenting and implementing safeguards to address conflicting roles performed by the Chief Audit Executive (CAE)
ensuring the reporting lines for the CAE comply with the NSW Treasury policy, and the CAE reports neither functionally or administratively to the finance function or other significant recipients of internal audit services
involving the CAE more extensively in executive forums as an observer
documenting a Quality Assurance and Improvement Program for the internal audit function and performing both internal and external performance assessments to identify opportunities for continuous improvement
reporting against key performance indicators or a balanced scorecard and producing an annual report on internal audit to bring to the attention of the audit and risk committee and senior management strategic issues, thematic trends and emerging risks that may require further attention or resources.

This chapter outlines our audit observations, conclusions and recommendations, arising from our review of agency controls to on-board, manage and off-board contingent labour.

Key conclusions and sector wide learnings

Agencies have implemented controls to manage contingent labour and most agencies have some level of reporting and oversight of contingent labour at an executive level. However, the increasing trend in spend on contingent labour warrants a renewed focus on agency monitoring and oversight of their use of contingent labour. Over the last five years spend on contingent labour has increased by 75 per cent, to $1.5 billion in 2018–19.

There are also some key gaps that limit the ability of agencies to effectively manage contingent labour. Key areas where agencies can improve their management of contingent labour include:

preparing workforce plans to inform their resourcing strategy, and confirm prior to engaging contingent labour, that this solution aligns with the strategy and best meets business needs
involving agency human resources units in decisions about engaging contingent labour
regularly reporting on contingent labour use to agency executive teams, particularly in terms of trends in agency spend, tenure and compliance with policies and procedures
strengthening on-boarding and off-boarding processes, including establishing checklists to on-board and off-board contingent labour, making provisions for knowledge transfer, and assessing, documenting and capturing performance information.

This chapter outlines our audit observations, conclusions and recommendations, arising from our review of governance and processes in relation to the management of sensitive data.

Key conclusions and sector wide learnings

Information technology risks are rapidly increasing. More interfaces between agencies and greater connectivity means the amounts of data agencies generate, access, store and share continue to increase. Some of this information is sensitive information, which is protected by the Privacy Act 1988.

It is important that agencies understand what sensitive data they hold, the risks associated with the inadvertent release of this information and how they are mitigating those risks. We found that agencies need to continue to identify and record their sensitive data, as well as expand the methods they use to identify sensitive data. This includes data held in unstructured repositories, such as network shared drives and by agency service providers.

Key areas where agencies can improve their management of sensitive data include:

identifying sensitive data, based on a comprehensive and structured process and maintaining an inventory of the data
assessing the criticality and sensitivity of the data so that the protection of high risk data can be prioritised
developing comprehensive data breach management policies to ensure data breaches are appropriately managed
maintaining a data breach incident register to record key information in relation to identified data breaches incidents, including the estimated cost of the breach
providing on-going training and awareness activities to employees in relation to sensitive data and managing data breaches.

Appendix one – List of 2019 recommendations

Appendix two – Status of 2018 recommendations

Appendix three – In-scope agencies

31 October 2019

Published

Ensuring contract management capability in government - HealthShare NSW

Health

Management and administration

Procurement

Project management

This report examined whether HealthShare NSW, a part of NSW Health, has the required contract management capability to effectively manage goods and services contracts valued over $250,000.

The report found that HealthShare has a procurement framework that should support effective contract management, but it is not applying it consistently. In particular, the audit found that HealthShare was not applying key contract management elements to over 80 per cent of the high-value contracts it manages. The audit also found that HealthShare’s contract management practices were limited by inadequate performance monitoring.

'Effective contract management is essential to ensure the contracts HealthShare enters into are delivering as expected and ensuring value for money,' said the Auditor-General. 'Without this, the value for money or savings HealthShare achieves when it negotiates these contracts is at risk of being eroded over the life of the contract.'

The report recommends that NSW Health develop a performance improvement plan to ensure HealthShare is fully compliant with procurement policies and that NSW Health meets its obligations under the Government's Accreditation Program for Goods and Services Procurement.

HealthShare is a NSW Health entity responsible for providing shared services, including procurement, to support the delivery of patient care within the NSW health system. In 2018, HealthShare procured high value goods and services contracts with an annual estimated total spend of around $1.8 billion, with most of the contracts of long duration.

NSW Government agencies are increasingly delivering services and projects through contracts with third parties. These contracts can be complex and governments face challenges in negotiating and implementing them effectively. A robust contract management framework helps ensure all parties meet their obligations, contractual relationships are well managed, agencies achieve value for money, and deliverables meet the required standards and agreed timeframes.

Contract management capability is a broad term, which can include aspects of individual staff capability (such as staff knowledge, skills and experience) as well as organisational capability (such as policies, frameworks and processes).

The NSW Procurement Board is responsible for overseeing the Government's procurement system, setting policy and ensuring compliance. It has accredited the Health Administration Corporation (HAC) to procure goods and services with no upper financial limit. Under the terms of this accreditation, the Secretary, NSW Health (as head of HAC) has delegated the procurement of high-value (over $250,000) goods and services contracts within NSW Health to only the Ministry of Health and HealthShare NSW (HealthShare).

HealthShare NSW (HealthShare) is a NSW Health entity responsible for providing shared services, including procurement, to support the delivery of patient care within the NSW health system. In 2018, HealthShare procured high-value goods and services contracts with an annual estimated total spend of around $1.8 billion, with most of the contracts of long duration.

HealthShare’s Contract Management Guide states that, without rigorous contract management, 75 per cent of projected sourcing savings can disappear within 18 months of the contract starting.

This audit examined whether HealthShare has the required capability to effectively manage high-value goods and services contracts. Contracts we examined included critical items such as food services in hospitals, patient transport services, intravenous equipment and kidney dialysis services, where risks include patient safety as well as value for money. We did not examine infrastructure, construction or information communication and technology contracts. We also did not examine HealthShare’s sourcing processes, including identifying business needs, tendering and contract award.

We assessed HealthShare against the following criteria:

HealthShare's systems, policies and procedures support effective contract management and are consistent with relevant frameworks, policies and guidelines.
HealthShare has capable personnel to effectively conduct the monitoring activities throughout the life of the contract.

We included the NSW Public Service Commission and NSW Treasury, through NSW Procurement, as auditees because they administer policies which directly affect contract management capability. These include:

NSW Procurement Board Directions and policies
NSW Government Procurement Policy Framework
Accreditation Program for Goods and Services Procurement
the NSW Public Sector Capability Framework.

NSW Procurement was transferred to NSW Treasury from the former Department of Finance, Services and Innovation on 1 July 2019 as part of changes to government administrative arrangements.

Conclusion

HealthShare is not applying the capability needed to effectively manage high-value (over $250,000) goods and services contracts. HealthShare's procurement framework includes elements that should support effective contract management, and it has a systematic approach to managing staff contract management capability. That said, HealthShare is not implementing key contract management elements of its own framework. As such, the value for money or savings it achieves when it negotiates contracts is at risk of being eroded over the life of these contracts.

Effective contract management is essential for HealthShare to ensure contracts it enters into are delivering the goods and services expected and achieving value for money, safety and quality. The Ministry of Health and HealthShare have invested in developing and implementing systems and tools to support effective contract management. In line with its obligations under the Agency Accreditation Program for Goods and Services Procurement (accreditation program), the Ministry of Health mandates the use of contract management plans for high-value contracts. The Ministry of Health also requires that all health entities use the PROcure contract management system for ongoing management of contracts with a value over $150,000. HealthShare is not complying with these directions for over 80 per cent of the contracts it manages.

In the absence of HealthShare following its framework, and the Ministry of Health’s directions, we looked for other evidence that HealthShare was effectively managing high-value contracts. We found that HealthShare’s contract management practices were limited by inadequate performance monitoring.

When Local Health Districts (LHDs) need to procure high-value goods and services, the Ministry of Health’s procurement policy requires that they use HealthShare to source and manage the procurement. This is to manage risk and provide oversight of procurement and contracts across the NSW health system. Despite this policy, HealthShare was only managing the sourcing stage of the procurement and transferring responsibility for contract management to the relevant LHD.

Appendix one – Response from agencies

Appendix two – Contract performance management summary

Appendix three – About the audit

Appendix four – Performance auditing

Parliamentary Reference: Report number #328 - released 31 October 2019

28 June 2019

Published

Ensuring contract management capability in government - Department of Education

Education

Compliance

Internal controls and governance

Management and administration

Procurement

Workforce and capability

This report examines whether the Department of Education has the required contract management capability to effectively manage high-value goods and services contracts (over $250,000). In 2017–18, the department managed high-value goods and services contracts worth $3.08 billion, with most of the contracts running over multiple years.

NSW government agencies are increasingly delivering services and projects through contracts with third parties. These contracts can be complex and governments face challenges in negotiating and implementing them effectively.

Contract management capability is a broad term, which can include aspects of individual staff capability as well as organisational capability (such as policies, frameworks and processes).

In 2017–18, the Department of Education (the Department) managed high-value (over $250,000) goods and services contracts worth $3.08 billion, with most of the contracts running over multiple years. The Department delivers, funds and regulates education services for NSW students from early childhood to secondary school.

This audit examined whether the Department has the required capability to effectively manage high-value goods and services contracts.

We did not examine infrastructure, construction or information communication and technology contracts. We assessed the Department against the following criteria:

The Department’s policies and procedures support effective contract management and are consistent with relevant frameworks, policies and guidelines.
The Department has capable personnel to effectively conduct the monitoring activities throughout the life of the contract.

The NSW Public Service Commission and the Department of Finance, Services and Innovation are included as auditees as they administer policies which directly affect contract management capability, including:

NSW Procurement Board Directions and policies
NSW Procurement Agency Accreditation Scheme
NSW Public Sector Capability Framework.

The Department of Finance, Services and Innovation's responsibility for NSW Procurement will transfer to NSW Treasury on 1 July 2019 as part of changes to government administrative arrangements announced on 2 April 2019 and amended on 1 May 2019.

Conclusion

The Department of Education's procedures and policies for goods and services contract management are consistent with relevant guidance. It also has a systemic approach to defining the capability required for contract management roles. That said, there are gaps in how well the Department uses this capability to ensure its contracts are performing. We also found one program (comprising 645 contracts) that was not compliant with the Department's policies.

The Department has up-to-date policies and procedures that are consistent with relevant guidance. The Department also communicates changes to procurement related policies, monitors compliance with policies and conducts regular reviews aiming to identify non-compliance.

The Department uses the NSW Public Service Commission's capability framework to support its workforce management and development. The capability framework includes general contract management capability for all staff and occupation specific capabilities for contract managers. The Department also provides learning and development for staff who manage contracts to improve their capability.

The Department provides some guidance on different ways that contract managers can validate performance information provided by suppliers. However, the Department does not provide guidance to assist contract managers to choose the best validation strategy according to contract risk. This could lead to inconsistent practice and contracts not delivering what they are supposed to.

We found that none of the 645 contracts associated with the Assisted Schools Travel Program (estimated value of $182 million in 2018–19) have contract management plans. This is contrary to the Department's policies and increases the risk that contract managers are not effectively reviewing performance and resolving disputes.

Appendix one - Response from agencies

Appendix two - About the audit

Appendix three - Performance auditing

Parliamentary Reference: Report number #325 - released 28 June 2019

Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

27 May 2019

Published

Engagement of probity advisers and probity auditors

Transport

Education

Health

Compliance

Internal controls and governance

Procurement

Project management

Workforce and capability

Three key agencies are not fully complying with the NSW Procurement Board’s Direction for engaging probity practitioners, according to a report released today by the Acting Auditor-General for New South Wales, Ian Goodwin. They also do not have effective processes to achieve compliance or assure that probity engagements achieved value for money.

Probity is defined as the quality of having strong moral principles, honesty and decency. Probity is important for NSW Government agencies as it helps ensure decisions are made with integrity, fairness and accountability, while attaining value for money.

Probity advisers provide guidance on issues concerning integrity, fairness and accountability that may arise throughout asset procurement and disposal processes. Probity auditors verify that agencies' processes are consistent with government laws and legislation, guidelines and best practice principles.

According to the NSW State Infrastructure Strategy 2018-2038, New South Wales has more infrastructure projects underway than any state or territory in Australia. The scale of the spend on procuring and constructing new public transport networks, roads, schools and hospitals, the complexity of these projects and public scrutiny of aspects of their delivery has increased the focus on probity in the public sector.

A Procurement Board Direction, 'PBD-2013-05 Engagement of probity advisers and probity auditors' (the Direction), sets out the requirements for NSW Government agencies' use and engagement of probity practitioners. It confirms agencies should routinely take into account probity considerations in their procurement. The Direction also specifies that NSW Government agencies can use probity advisers and probity auditors (probity practitioners) when making decisions on procuring and disposing of assets, but that agencies:

should use external probity practitioners as the exception rather than the rule
should not use external probity practitioners as an 'insurance policy'
must be accountable for decisions made
cannot substitute the use of probity practitioners for good management practices
not engage the same probity practitioner on an ongoing basis, and ensure the relationship remains robustly independent.

The scale of probity spend may be small in the context of the NSW Government's spend on projects. However, government agencies remain responsible for probity considerations whether they engage external probity practitioners or not.

The audit assessed whether Transport for NSW, the Department of Education and the Ministry of Health:

complied with the requirements of ‘PBD-2013-05 Engagement of Probity Advisers and Probity Auditors’
effectively ensured they achieved value for money when they used probity practitioners.

These entities are referred to as 'participating agencies' in this report.

We also surveyed 40 NSW Government agencies with the largest total expenditures (top 40 agencies) to get a cross sector view of their use of probity practitioners. These agencies are listed in Appendix two.

Conclusion

We found instances where each of the three participating agencies had not fully complied with the requirements of the NSW Procurement Board Direction ‘PBD-2013-05 Engagement of Probity Advisers and Probity Auditors’ when they engaged probity practitioners. We also found they did not have effective processes to achieve compliance or assure the engagements achieved value for money.

In the sample of engagements we selected, we found instances where the participating agencies did not always:

document detailed terms of reference
ensure the practitioner was sufficiently independent
manage probity practitioners' independence and conflict of interest issues transparently
provide practitioners with full access to records, people and meetings
establish independent reporting lines reporting was limited to project managers
evaluate whether value for money was achieved.

We also found:

agencies tend to rely on only a limited number of probity service providers, sometimes using them on a continuous basis, which may threaten the actual or perceived independence of probity practitioners
the NSW Procurement Board does not effectively monitor agencies' compliance with the Direction's requirements. Our enquiries revealed that the Board has not asked any agency to report on its use of probity practitioners since the Direction's inception in 2013.

There are no professional standards and capability requirements for probity practitioners

NSW Government agencies use probity practitioners to independently verify that their procurement and asset disposal processes are transparent, fair and accountable in the pursuit of value for money.

Probity practitioners are not subject to regulations that require them to have professional qualifications, experience and capability. Government agencies in New South Wales have difficulty finding probity standards, regulations or best practice guides to reference, which may diminish the degree of reliance stakeholders can place on practitioners’ work.

The NSW Procurement Board provides direction for the use of probity practitioners

The NSW Procurement Board Direction 'PBD-2013-15 for engagement of probity advisers and probity auditors' outlines the requirements for agencies' use of probity practitioners in the New South Wales public sector. All NSW Government agencies, except local government, state owned corporations and universities, must comply with the Direction when engaging probity practitioners. This is illustrated in Exhibit 1 below.

Appendix one – Response from agencies

Appendix two – List of selected agencies

Appendix three – About the audit

Audit progress

Sector

Year

Report type

Topic

Reports

What the report is about

What we found

What the key issues were

What we recommended

Section highlights

Section highlights

Copyright notice

What the report is about

What we found

What the key issues were

Section highlights

Section highlights

Copyright notice

What the report is about

What we found

What the key issues were

What we recommended

Section highlights

Section highlights

Copyright notice

What the report is about

What we found

What the key issues were

What we recommended

Section highlights

Section highlights

The number of findings reported to management has increased, and 31% were repeat issues

A high-risk matter was reported at the TAFE Commission highlighting instances of non-compliance with policies and procedures guiding appropriate purchasing card use

Recommendation

What the report is about

What we found

Fast facts

Copyright notice

1. Machinery of Government changes

2. Financial reporting

3. Audit observations

Section highlights

Audit opinions

We issued unqualified audit opinions for all health entities and quality of financial reporting continues to improve

We issued a qualified audit opinion for our compliance audit of the Ministry of Health's Annual Prudential Compliance Statement

Section highlights

This report offers insights into internal controls and governance in the NSW public sector

Areas of specific focus of the report have changed since last year

Key conclusions and sector wide learnings

Key conclusions and sector wide learnings

Key conclusions and sector wide learnings

Key conclusions and sector wide learnings

Key conclusions and sector wide learnings

There are no professional standards and capability requirements for probity practitioners

The NSW Procurement Board provides direction for the use of probity practitioners